Jean-Jacques Clar wrote:
> Testing 2.0 and 2.1 Head.
> I am running a test that requires frequent ejections of cache entities:
> max_cache_size and max_object_count are smaller than my sampling.
> 2 threads running at the concurrently on 2 CPUs.
>
> Thread1(T1): an entry is ejected from the cache in cache_insert(),
> resulting in a call to memcahe_cache_free() [c->free_entry(ejected)].
> Refcount is 1, obj->cleanup is 0.
>
> T2: a thread is calling apr_pool_clear() in worker_main/worker_thread()
> in the mpm main function (using worker|netware). That thread is calling
> decrement_refcount(), the registered cleanup function in mod_mem_cache.c.
> Both threads are working on the same cache_object.
> Refcount is 1, obj->cleanup is 0 when entering decrement_refcount().
>
> Then there is a race in both functions where the atomic_dec in
> decrement_refcount() will change the refcount to 0
It should not be possibe for two threads to atomically decrement the refcount on the same
object to 0. Sounds
like a bug in netware's apr_atomic_dec() function.
Bill